ARD will not authenticate OD users in ard_admin group
I can successfully control a client with a local account using ARD 3.0, but not with an OD account added to the WGM group ard_admin, ard_reports, etc. I have been successful at times with both OD and Active Directory accounts, but cannot get consistant results and need to add hundreds of macs to ARD for management.
I have confirmed the client and server are talking via WGM as I can move the client's dock around using Group/Prefs and changing the Dock display.
I can even login at the client using the OD user's credentials, but again, from ARD, access is denied using the OD user's credentials.
ARD simply will not let me manage/generate reports of clients using the OD user credentials, I get 'Authentication failed to "client name"' when I click on Control or Observe. The Client Status column reports Access Denied.
All clients are running 10.4.6 or better.
Ultimately, my intent is to use AD users as members of the ard_admin, etc. groups and have successfully done so a few times, but not consistantly.
Am desperate for some guidance and Apple Tech support has recreated the problem once, but can no longer recreate in order to continue working the issue.
I am wondering if there is a random Kerberos authentication issue going on, but I have even used KB300765 to prevent clients from getting conflicting sources.
Ideas/
Here's the fix.
First from the Remote Desktop application you must create a Client installer (from the ARD File menu). When building the installer be sure to answer the following questions...
Customized installer. YES
Remote Desktop Startup; YES
Show ARD Menu: Your choice
Create Users?: No
Enable directory-based Administration: YES (what was necessary for me to get working)
Specify access privileges: Your choice
Other settings are your option...
Save the new Client installer.
Secondly, move it to your clients and run it. If necessary, this will upgrade your clients' ARD client software and open the door for AD/OD Administration access.
I couldn't find this documented anywhere. I would have thought the necessary "Enable Directory-Base Administration" would have been in the client's ARD Access Priviliges screen somewhere.
G5 Xserve ARD 3.0 Mac OS X (10.4.7)
Similar Messages
-
Domain user account will not authenticate once user logs out and logs back in
Greetings,
I am having difficulty resolving an issue with a Mac user on my domain. the user can log in no problem from the initial start up, however when the user logs out and trys to log back in, the domain account and the password doesn't authenticate. the only way the user can log back in is by shutting down completely.The guys around here who know anything about that hang out on Mac OS X Server forum. Many of them support mixed Server environments in their day jobs.
OS X Server -
Cisco 1142 Wireless access point intermittently will not authenticate
Hi all,
We have a Cisco 1142 standalone access point, and from time to time I will come into the office and it will not authenticate any users to either our guest or corporate networks. I then have to go in and reboot the access point. After that, it begins to work. Any advice? Here's my configuration below:
Current configuration : 6450 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname cisco-chiap01
logging monitor errors
enable secret 5 $1$fsD8$CU42/3/Up5AAlL4hQWvvg0
aaa new-model
aaa group server radius rad_eap
server 172.17.16.12 auth-port 1645 acct-port 1646
server 172.17.21.10 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
server 172.17.21.10 auth-port 1812 acct-port 1813
aaa group server radius rad_eap2
server 172.17.16.12 auth-port 1645 acct-port 1646
server 172.17.21.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods2 group rad_eap2
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
login on-failure log
login on-success log
dot11 syslog
dot11 vlan-name Admin vlan 100
dot11 vlan-name DevNetwork vlan 20
dot11 vlan-name Guest vlan 150
dot11 vlan-name Network vlan 16
dot11 ssid DevNetwork
vlan 20
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa version 2
dot11 ssid Guest
vlan 150
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 142407060101380B013A3A2670435642
information-element ssidl advertisement
dot11 ssid Network
vlan 16
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa version 2
username monkeyman privilege 15 secret 5 $1$ZZ7C$rqimu2FNONdfeacMNGAD/.
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.17.19.10
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 16 mode ciphers aes-ccm
encryption vlan 150 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid DevNetwork
ssid Guest
ssid Network
antenna gain 0
parent timeout 120
speed 5.5 11.0 basic-6.0 9.0 12.0 36.0 48.0 54.0
packet retries 128 drop-packet
channel 2462
station-role root
rts threshold 512
rts retries 128
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
interface Dot11Radio0.16
encapsulation dot1Q 16 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 subscriber-loop-control
bridge-group 150 block-unknown-source
no bridge-group 150 source-learning
no bridge-group 150 unicast-flooding
bridge-group 150 spanning-disabled
interface Dot11Radio1
no ip address
ip helper-address 172.17.19.10
no ip route-cache
encryption vlan 16 mode ciphers aes-ccm
encryption vlan 150 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid DevNetwork
ssid Guest
ssid Network
antenna gain 0
traffic-metrics aggregate-report
dfs band 3 block
mbssid
parent timeout 120
speed 6.0 12.0 basic-24.0 36.0 48.0 54.0
channel width 40-above
channel dfs
station-role root access-point
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
interface Dot11Radio1.16
encapsulation dot1Q 16 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 subscriber-loop-control
bridge-group 150 block-unknown-source
no bridge-group 150 source-learning
no bridge-group 150 unicast-flooding
bridge-group 150 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.11
encapsulation dot1Q 11
no ip route-cache
interface GigabitEthernet0.16
encapsulation dot1Q 16 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface GigabitEthernet0.100
encapsulation dot1Q 100
ip address 192.168.100.3 255.255.255.0
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
interface GigabitEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
no bridge-group 150 source-learning
bridge-group 150 spanning-disabled
interface BVI1
ip address 172.17.16.251 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface GigabitEthernet0
access-list 1 permit 172.17.16.1
access-list 1 remark Admin network access
access-list 1 permit 192.168.100.0 0.0.0.255
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.17.21.10 auth-port 1812 acct-port 1813 key 7 047958071C3561410D4A44
radius-server host 172.17.16.12 auth-port 1645 acct-port 1646 key 7 08045E471A48574446
radius-server host 172.17.21.10 auth-port 1645 acct-port 1646 key 7 1320051B185D56797F
radius-server timeout 15
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 1 in
endWhen the issue occurs does that affect both 2.4GHz & 5GHz devices ? I would see which band operating devices affected.
I noticed you have set CH11 under Radio 0 statically. I would prefer to configure it as below so AP can change the channel depend on the environment.
int d0
channel least-congested
HTH
Rasika
**** Pls rate all useful responses **** -
Recently installed an OWC SSD hard drive in a mid-2009 mac book pro. The performance increase has been great! The problem I am having is the finder will not Authenticate for anything.
Let's say I want to move a file into my /Library/Application Support folder.
http://i.imgur.com/cbqqV3l.png
http://i.imgur.com/tsFSoeu.png
The finder just churns away. The same issue goes for unlocking system preferences (Try System Prefs / User & Groups, then click the lock icon. You should get an authentication dialog pop up box, I never do
I have restarted in safe mode or what ever it's called (holding the R key) to repair permissions, to no avail. Help!
I'm sure it has to do with permissions. Booting back into my HDD, I can do all of the above, though booting from the SSD, something has gotten corrupted. I know it's a corrupt system issue because I was able to make another user once upon a time.Hi, see if this works...
First, Safe Boot , (holding Shift key down at bootup), use Disk Utility from there to Repair Permissions, test if things work OK in Safe Mode.
Then move these files to the Desktop...
/Users/YourUserName/Library/Preferences/com.apple.finder.plist
/Users/YourUserName/Library/Preferences/com.apple.dock.plist
/Users/YourUserName/Library/Preferences/com.apple.systempreferences.plist
/Users/YourUserName/Library/Preferences/com.apple.sidebarlists.plist
/Users/YourUserName/Library/Preferences/com.apple.desktop.plist
/Users/YourUserName/Library/Preferences/com.apple.recentitems.plist
Reboot & test.
PS. Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive. -
My new apps have changed to try within creative cloud; and my installed apps will not authenticate. I recently canceled one subscription and replaced it with another. Can you please look at it and correct?
Solution for Windows 8.1: Locate the C:\Users\USER\AppData\Local\Adobe\OOBE folder. Log out of Creative Cloud and from Task Manager end task for Creative Cloud. From the OOBE folder delete ALL files. Do not delete folders (com.adobe.accc.apps & com.adobe.accc.home). When complete, restart Creative Cloud and log in with ID and Password.
-
I ordered my new S5 online and after following the steps outlined in exact order, my old phone no longer works and the S5 will not authenticate. Now I have no phone and I am becoming frustrating.
It downloaded all my contacts, photo's with no problem. I called the number they gave me from my old phone and then turned it off. I then put the sim card in and charged the phone. I followed all the setup steps and no I cannot send any text or make any phone calls. I get a message that they cannot authenticate my phone to dial #8899 but get the same message.Hello Notahappycamper1962
Let's get that S5 up and running! I want you to love the S5! Is the old device powered off? What zip code are you in?
I look forward to hearing from you and getting this addressed.
JoeL_VZW
Follow us on Twitter @VZWSupport -
EBS 7.3 "Could not authenticate this user name and password, try again"
I have just install Sun StorEdge Enterprise Backup Software 7.3 on a new Solaris 10 (06/06) system. I have installed the following packages with no errors: SUNWebsc (Client), SUNWebsn (Storage Node), SUNWebss (Server), SUNWebsm (Man pages) and SUNWebsg (Console).
I have executed the �nsraddadmin� command for both root and administrator.
I start the web browser with http://<hostname>:9000 and the java software loads with no errors. But when I try to login for the first time with administrator/administrator, I get the follow error:
ERROR: Could not authenticate this user name and password, try again�I think the client is not able to do a HTTP POST
to the WLS server but it can do a HTTP GET.
I dont know why.
http://manojc.com
"Ganesh" <[email protected]> wrote in message
news:3eba91bc$[email protected]..
>
Hi,
I deployed a rpc web service using WLS 7.0 SP2 in HP-UX 11 environment.When I
invoke the web service through my browser (IE 6.0) using the web servicesurl,
it brings my service method correctly. From there, if I click the invokebutton
it asks me for a network user name and password under "weblogic" realm???If I
provide the admin user credentials (which I supplied while creating mydomain)
it is not accepting that it keeps popping up this network user passwordwindow
over and over. Not sure which username/password I have to provide here tosee
the result of my service.
If I try to invoke the web service through my client (static) I am gettinga connection
refused exception. I guess either way, I am not able to access my webservice.
In the attached file, I have cut and pasted the client stack trace as wellas
the server log trace from weblogic.
Any ideas would be highly appreciated.
Thanks,
Ganesh -
1310 Root Bridge will not Authenticate with 350 Non Root Bridge
I've exhausted myself solving this issue.
I have a 1310 set as a root bridge using WEPS. I have a 350 set as a non root bridge/without clients, also using WEPS (they both use the same SSID)
The 350 will not authenticate to the 1310. After doing a Carrier Busy Test, it is clear the 350 see's the 1310 with signal strengh of 100 percent.
(I have a test lab setup in my office)
If I make the 350 the Root Bridge and the 1310 the Non Root, The 1310 will authenticate to the 350.
I hoping someone else has seen this problem and can enlighten me.
Thank you.I have successfully configured a 1310 Bridge as a Root Bridge and a BR350 Bridge and a Non Root Bridge/with Clients. I also had to force the 1310 to operate at 11MB only.
As soon as I make the BR350 Bridge a Non Root Bridge/without Clients, the authentication is dropped between the two.
I was hoping I could transition to the 1310 one unit at a time since I have over a dozen 350's to replace. -
A login webpage gives the message "This script requires that jquery.js be loaded first." then will not show the user ID and password login boxes. How can this be corrected?
That message is listed in two scripts on the bank's site. One function that can display the message is named PhotoRotator and the other is named PromoRotator. However, I can't seem to trigger the error myself.
If you have any add-ons that alter the page, such as ad blockers, try creating an exception for these sites and see whether that helps:
www.northrim.com<br>
www.northrimbankonline.com
You also could try this logon page: https://www.northrimbankonline.com/onlineserv/HB/Signon.cgi
(''Obviously you should be cautious about links offered on public forums to ensure you are not being phished! Check them out carefully before entering your username and password.'') -
Behance will not authenticate my adobe username...
Cannot get Lightroom and my Behance to cooperate. Logs in on the Behance website fine and on Lightroom fine as well but when I try to setup Behance from light room it will not authenticate my ID.
behance doesn't work at all in Lightroom currently. This happened when they egalized the adobe logins with the behance logins. For some reason Adobe is not fixing it and their official word is to manually upload. Silly indeed.
-
W2K will not authenticate to Mac OS X Server.
My Mac OS X 10.4.3 will authenticate via Open Directory, but my Windows 2000 Pro. machine will not authenticate with Active Directory. Is there any trick to get Active Directory running on the OS X Server?
Thanks.Your question would be easier to answer if you had included information of what Mac you have and what version of Garageband you are trying to reinstall.
And why you deleted it in the first place. -
Listener Error "TNS-01189: The listener could not authenticate the user"
Good morning. We have a dual-homed (one home is 10.2.0.4 and the other is 10.2.0.5) server running a 10.2.0.5 listener. We accidentally applied the April2011 PSU to the 10.2.0.5 home without shutting down the listener. The PSU installed correctly but the listener now gives the error "TNS-01189: The listener could not authenticate the user" when any attempt is made to run the following lsnrctl commands: reload, stop, services, and status. When the start command is issued, it informs us the listener is already running (which is correct). The listener is working properly handing off database connections but we cannot administer it.
Would installing the PSU while the listener was running cause this problem? Any idea on how to reload the listener? We even went so far as to deinstall 10.2.0.5 on the server and reinstall it with a clean cloned copy of 10.2.0.5. We also tried to create a new listener (which it did) but would not start the new listener. It said one listener was already running.
From EM Grid Control, we can administer the listener (make basic changes to the listener.ora file) but we cannot stop the listener from EM Grid Control either. (Not a surprise.)
Ideas? Thoughts?
Server: Solaris 64-bit+>lsnrctl status listener+
LSNRCTL for Solaris: Version 10.2.0.5.0 - Production on 27-APR-2011 08:23:43
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=prodserv)(PORT=1521))
TNS-01189: The listener could not authenticate the user
I have read the Metalink doc (Doc ID 285439.1) and it seems like the two homes are causing some type of conflict. I am just not sure how to resolve the issue. I tried unsetting ORACLE_HOME in both 10.2.0.4 and 10.2.0.5 SID environments. The error I get then is the basic TNANAMES error. That sequence looks like this:
+>unset ORACLE_HOME+
+>echo $ORACLE_HOME+
+>lsnrctl status+
LSNRCTL for Solaris: Version 10.2.0.5.0 - Production on 27-APR-2011 08:28:27
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Message 1053 not found; No message file for product=network, facility=TNSTNS-01189: Message 1189 not found; No message file for product=network, facility=TNS
Am I not clearing out the ORACLE_HOME properly (as suggested in the Metalink doc)? -
I did the fix but it didn't fix the issue. It allows me to create the script but when it runs it will not add the user account.
Here is all the same setting aside from the user info being created.
https://www.dropbox.com/s/kkxmhls3bfs6ns3/Apple%20Support%20Installer%20Script.p kg -
Groups in Address book on iPad will not let me create a new group
My address book on the iPad will not let me create a new group. The red ribbon is there and shows my groups that I already have, but when I click on the ribbon the plus sign does not appear on the group side to let me create one.
Can anyone help me? I have turned it off and back on.You can't create new groups on a mobile device.
-
Illistrator will not authenticate under Windows 8.1
I have a creative Cloud Subscription.
Once I use it under Mac OS no problem.
But if I try to use it under a Windows 8.1 partition, on the same computer, CC will not uthenticate Illustrator, all other apps are ok and running regularly.
Once I lounch AI it keeps asking for connection to internet in order to authenticate.
Although Creative Cloud software is connected and logged in with my user account.
What's wrong?Honestly I do not like people snooping around my computer remotely ......
But I would know what to do if there was a different method to authenticate Illustrator. es:Like editing Windows Register file......
I'll wait.
For the moment I will use just the Mac version that does not have this kind of problems and performs much better.
Cheers
Maybe you are looking for
-
Help needed in selection screen - Urgent
Hi Experts, I have a selection screen. I have three radi buttons in that selection screen. Based on the selection of the radio buttons I need to activate corresponding selection screen parameters. e.g : if radiobutton1 is selected, njo activation nee
-
I am unable to install OS X 10.9.2 along with iTunes 11.1.5
I have been unable to install the OS X 10.9.2 along with iTunes 11.1.5
-
The photo tab is missing in iTunes and i want to remove albums from my iPhone 4s
for some reason all of my photos and albums have loaded onto my iphone 4s and taken up all of my storage and i cant delete them and the photo tab is no longer on my itunes so i cant sync them the way the consultant in the Apple store told me to do it
-
Hi, Attaching the orginal query for created the view and just obtained a simple select against the view , causes a lots of hash join with Nested loop. If the view fired for whole rows it's causing a delay . I am attaching the tkprof out put with the
-
IDVD (and Toast) never complete writing lead-outs
Hi, I've noticed occasionally that when using Toast 7 and iDVD 6 that during the writing process, the application in question persists on writing the lead-out. I understand what the correlation between lead-out and DVD playing length are. However, th